LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 12-22-2007, 03:28 AM   #1
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Rep: Reputation: 37
Unhappy Asking for authentication even after getting authenticated with ADS


Dear all,

Need some help of all of yours.
I am facing with a problem with after joining an ubuntu PC with Windows server 2003 and its authenticating with the ADS. No problem in that authenticating. But after getting logged in with AD username and password its keep asking me for password for almost everything like get access to a shared dir, access to shared printer, after configuring evolution I can easily can get synchorized with exchange server 2003 but it keeps asking me everytime for password whenever I try to open evolution, when want to even reply a mail, when even try to open a new mail; almost for everything.

What I am trying achieve here is to migrate all my users from windows to linux platform and as a first step authenticating ubuntu7.10 with windows AD was successful. But now this authentication problem is getting in the way.

I followed the steps here for authenticating with windows AD:
https://help.ubuntu.com/community/Ac...ryWinbindHowto.

I also posted it in ubuntu forum but nobody seems to be interested or may be its a dumb question to answer.The link is below:
http://ubuntuforums.org/showthread.php?t=635967

Here are the steps I followed along with above tutorial:
PHP Code:
            Ubuntu Users Authentication through ADS



We have to install all the required packages 
as follows:

samba 
samba
-common (installed by default)
smbclient (installed by default)
winbind
openssh
-server 
openssh
-client

 Kerberos
krb5
-config
krb5
-user

Configuration Settings on Ubuntu
Verify Kerberos
LDAPAD, and Winbind support
You will need to check you have support 
for KerberosLDAPAD, and Winbind
# smbd -b | grep LDAP 
HAVE_LDAP_H 
HAVE_LDAP 
HAVE_LDAP_DOMAIN2HOSTLIST 
... 
# smbd -b | grep KRB 
HAVE_KRB5_H 
HAVE_ADDRTYPE_IN_KRB5_ADDRESS 
HAVE_KRB5 
...
# smbd -b | grep ADS 
WITH_ADS 
WITH_ADS 

# smbd -b | grep WINBIND 
WITH_WINBIND 
WITH_WINBIND
If you're missing any of these options, you need to recompile Samba

Configure and Test Kerberos
------------------------------
/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IMATION.COM

[realms]
 IMATION.COM = {
  kdc = ubuntu.imation.com
  kdc = kubuntu.imation.com
  kdc = edubuntu.imation.com
 }

[domain_realm]
 .kerberos.server = IMATION.COM
Be sure to use uppercase where applicable as shown above, and when you test the connection with kinit. If you mess up your cases, you will get an error “Cannot find KDC for requested realm while getting initial credentials”. 

Test the connection with: 
# kinit xp@IMATION.COM
Password for xp@IMATION.COM
Now here xp is the admin user with admin right to join pc to AD.

[root@pc-2165 squid]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xp@IMATION.COM

Valid starting     Expires            Service principal
09/30/07 18:44:17  10/01/07 04:44:27  krbtgt/IMATION.COM@IMATION.COM
        renew until 10/01/07 04:44:17


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


Configure and Test Samba
------------------------
samba.conf

[global]
        workgroup = IMATION
        realm = IMATION.COM
        server string = Linux Web Server
        security = ADS
        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/%m
        max log size = 50
        preferred master = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +

[homes]
        comment = Home Directories
        valid users = %S
        read only = yes
        browseable = No

Save your changes and run '
testparm' to check for any syntax errors. 
# testparm

# /etc/init.d/smb start
Finally, join your Samba machine to Active Directory: 

# net ads join -U xp@IMATION.COM
xp@IMATION.COM'
s password:
Using short domain name -- IMATION
Joined 
'SSO-ADS' to realm 'IMATION.COM'

If this worksshut down samba and enable winbind (as below). If notyou'll need to do some troubleshooting.
# ntlm_auth --username=<Any AD username>

you should get this output "NT_STATUS_OK: Success (0x0)"


Enabling Windbind
/etc/nsswitch.conf


passwd:     compat winbind
group:      compat winbind
shadow:     compat

hosts:      files dns wins
networks:   files dns
protocols:  db files
services:   db files
ethers:     db files
rpc:        db files

Save your changes, and fire up windbind and Samba: 
# service winbind stop
# /etc/init.d/smb start
# service winbind start
Confirm winbindd is running
# pgrep winbindd
You can verify winbind is working with: 
# wbinfo -u 

# wbinfo -g 

Modify the PAM settings:


1) /etc/pam.d/common-account should contain only the following lines


account sufficient pam_winbind.so
account required pam_unix.so


2) /etc/pam.d/common-auth should contain only the following lines


auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
auth    required    pam_deny.so

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below


password required pam_unix.so nullok obscure min=4 max=50 md5


4) Make sure the /etc/pam.d/common-session file contains the following line

session    required    pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel


5)  Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

mkdir /home/IMATION 
Any help will be greatly appreciated.
Thanks in advance.
 
Old 12-23-2007, 10:02 PM   #2
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Original Poster
Rep: Reputation: 37
Hi,
One more thing, Does LDAP is required to overcome this problem?

I have No idea how come this post came into Software section. As far I remember, I definitely posted it on Networking section.

Last edited by tanveer; 12-23-2007 at 10:18 PM. Reason: Came in wrong section of forum
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Wanted: Spam filter to bounce authenticated mail to authenticated address Wassercrats Linux - Software 4 11-08-2007 07:56 PM
SAMBA and ADS Authentication cachemonet Linux - Networking 0 09-25-2007 02:43 PM
Authentication against ADS adn FDS Hep Linux - Enterprise 1 06-28-2007 04:35 PM
Linux Client ADS-Authenticated User Can't Access Samba Shares lavie Linux - Software 1 09-12-2006 08:14 AM
Samba and ADS domain authentication Linux_Newbie_se Linux - Networking 1 05-19-2004 07:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration